HONEYPOTS
Mathew Benwell , Sunee Holland, Grant Pannell
Introduction

What is a honeypot?


“An information system resource whose
value lies in unauthorized or illicit use of
that resource” (Spitzner 2003)
Types of honeypots



Production – captures limited information,
for mitigating risk, used in a corporate
setting
Research – captures lots of information,
learn about threats, develop better
protection


Prevention – keeping a threat out
Detection – sensing attacks, alerting
admins
Reaction – responding to a threat
Low-interaction, medium-interaction, highinteraction

More detail later on
Honeynets/honeyfarms








VMware
honeyd
Fake APs
Fake web servers
Network services


Honeypot used to collect spam
Usually e-mail addresses that prevent
legitimate use to ensure all use is
illegitimate
Usenet newsgroups lure cross-posted
spam
Virtualisation


Network of real computers, high risk, high
information gain
Spamtraps

Prevention, detection, reaction


Implementations
Production vs. Research



Emulate telnet, FTP, SMTP, POP3, HTTP
Multipurpose solutions

Mantrap, Deception Toolkit, HOACD
Advantages/Disadvantages

Advantages

Data collection





Single point of attack


Less bandwidth or activity than
other security implementations



Less complex than other security
mechanisms such as Intrusion
Detection Systems
Less chance of misconfiguration
Cost


No need for high resource usage
Depends on the application
Have a risk of being exploited –
depends on the type of honeypot
More detail later on
Limited view


Useless if it is not attacked
Risk

Simplicity


Disadvantages
Minimise resource usage


Only captures relevant data
Small data sets
High value

Limited data – only captures what
interacts with it and not the whole
scope of the system
Cost


Deployment costs, analysis costs
Depends on the application
Security & Risks

3 Types of Honeypots Classified by Risk

Low-Interaction


High-Interaction






Software/Operating System Services –
Direct access to data





Can use IDS/Firewall between Hacker and
Honeypot
Log Requests, Connections, Patterns
Lack of monitoring  What happens?
Physical disconnection
DMZs and ACLs (Logical)



Possible Exploitation  Access to OS
Buffer Overruns, etc.
Always Monitor Honeypot
Can help if resources limited
Leaves host intact, runs new OS on top
running OS
Virtualisation software exploitable 
Access to host OS
Secure Honeypot By:
Emulated Software and OS needs to be
up-to-date, hardened


Emulated Services – No requests, only
Connections
Emulated Services – Requests with Faked
Responses
Virtualisation (VMWare, etc.)

Medium-Interaction





Predict hacker entry point
Put honeypot in same zone
ACL to control access between DMZ and
sensitive network
ACL to filter honeypot traffic
Honeypot Compromised?

Identity found – send bogus data


Emulated software not accurate
Exploit emulation/software/OS



Disable Honeypot
Remove Gathered Data
Spam Relay, DoS, Attack Hosts
Legal Issues & Evidence

Types of Evidence

Content


Time, Duration, Protocol, Service, Source,
Destination
Entrapment


May exclude evidence
May not be relevant


Keystrokes, Actions, Requests, Credentials
Transactional



Only applies if public law enforcement
involved
Integrity of Evidence

Identity of Honeypot Compromised 
Bogus Data & Patterns

Not all data sent to honeypot is malicious
 Routine Network Broadcasts

Limited View on Network  May not be
relevant to legitimate hosts

Always log! Checksums, Timestamps

Chain of Custody Documentation

Privacy




Laws against tracking real-time data
Law depends on location of honeypot and
hacker
Production Honeypots – exempt by Service
Provider Protection Law, maybe
Research Honeypots – depends if
Transactional or Content data



Content data more sensitive
Prompt user that all activity is logged?
No certain decision yet (2003)

Preparation, Activities, Shutting Down,
Copying, Analysis
Liability

If compromised, ensure honeypot not used
to attack other hosts or organisations

Hacker liable? Administrator liable?

Yet to have certain decision (2003)

Cannot re-attack hacker, classed as DoS!
Recommendation

VMware - Research

High-Interaction
Easy preservation of
memory contents
 Easy duplication of disk
contents
 System easily restored
 May be less likely to
stand up in court
 Ensure host system is
appropriately secured
 Use host integrity checks
to verify host security


Honeyd - Production

Medium-Interaction
Mimics any service
 Mimics multiple operating
systems
 Not a full operating
system so reduces some
honeypot risks
